ece5d9b6cc
All checks were successful
Addresses review #907 blocker: docs/nomad-migration.md claimed --empty "skips policies/auth/import/deploy" but _disinto_init_nomad had no $empty gate around those blocks — operators reaching the "cluster-only escape hatch" would still invoke vault-apply-policies.sh and vault-nomad-auth.sh, contradicting the runbook. Changes: - _disinto_init_nomad: exit 0 immediately after cluster-up when --empty is set, in both dry-run and real-run branches. Only the cluster-up plan appears; no policies, no auth, no import, no deploy. Matches the docs. - disinto_init: reject --empty combined with any --import-* flag. --empty discards the import step, so the combination silently does nothing (worse failure mode than a clear error up front). Symmetric to the existing --empty vs --with check. - Pre-flight existence check for policies/auth scripts now runs unconditionally on the non-empty path (previously gated on --import-*), matching the unconditional invocation. Import-script check stays gated on --import-*. Non-blocking observation also addressed: the pre-flight guard comment + actual predicate were inconsistent ("unconditionally invoke policies+auth" but only checked on import). Now the predicate matches: [ "$empty" != "true" ] gates policies/auth, and an inner --import-* guard gates the import script. Tests (+3): - --empty --dry-run shows no S2.x sections (negative assertions) - --empty --import-env rejected - --empty --import-sops --age-key rejected 30/30 nomad tests pass; shellcheck clean. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| AGENT-DESIGN.md | ||
| agents-llama.md | ||
| BLAST-RADIUS.md | ||
| CLAUDE-AUTH-CONCURRENCY.md | ||
| edge-routing-fallback.md | ||
| EVAL-MCP-SERVER.md | ||
| EVIDENCE-ARCHITECTURE.md | ||
| investigation-685-reviewer-approved-destructive-compose.md | ||
| mirror-bootstrap.md | ||
| nomad-migration.md | ||
| OBSERVABLE-DEPLOY.md | ||
| PHASE-PROTOCOL.md | ||
| updating-factory.md | ||
| VAULT.md | ||